The producers of even the most popular anti-virus packages are not flawless, which from time to time results in a situation when software intended to be a guard at the gates of the computer, in fact, is itself an open gate. We are just discovering a new vulnerability of popular packages. However, their producers were not at fault, but the ingenious use of symbolic links in the Microsoft NTFS file system.
Florian Bogner, an auditor at the Austrian Kapsch, shared his find on his blog. The matter is quite serious, as it concerns the most popular antivirus programs, and the infected file itself can gain, using the quarantine procedure and NTFS symbolic links, the rights that the antivirus itself has.
An attack can occur after moving a malicious file to quarantine. Once it is isolated, the attacker can leave a symbolic link in its place, i.e. a file that redirects to another location. Such links have been used in NTFS since Windows 2000 as directory links. After creating the link and then restoring the file from quarantine, it is possible to redirect it to any other location on the victim’s hard disk and made with the highest permissions.
You can protect yourself from vulnerabilities. Bogner announced that Trend Micro, Emsisoft, Kaspersky Lab, Malwarebyets, Check Point (ZoneAlarm) and Ikarus have already released security updates against the use of symbolic links – we recommend users to update their anti-virus software. Users of other anti-virus programs, however, we recommend that you wait until you update and restore files from quarantine.
If you are not satisfied with your antivirus program, you can always install another one, the list of the most popular can be found here.